Recently, Tom Keane from Microsoft announced the general availability of Azure Government and Azure Government Top Secret. This began a multi-step process that allows national security missions to move into this higher classification level. The easy part is moving from the previous tier to this new tier, but more challenging tasks lay ahead of you and your team.
This post will help you prepare for the transition by offering tools, tips, and insights from years of experience working with hundreds of customers who have completed similar protected data moves. He informs how Azure Government has unique challenges and requirements as you move from a public cloud to a protected environment. According to Tom Keane, these challenges include meeting specific compliance requirements, organizational policies and procedures, safeguarding the protected data and its infrastructure.
Also, securing the data in transit (e.g., using IPsec), and protecting your Microsoft identity while maintaining the benefits of cloud technologies like automation and agility.
Protecting your data at rest and in transit
As Tom Keane recalls, the fundamental truth about the cloud is that you cannot control where your data resides. Your data may reside in a variety of locations, including Microsoft data centers located in many different countries, or it may reside in third-party cloud providers.
While the physical location of the Azure Government infrastructure is a known and trusted environment, there are other locations where your data can be stored with other customers or partners who are not under your control. Tom Keane explains that this means you must secure your data at rest and in transit. At rest, Azure Government provides an isolated, protected environment with access control (authentication) and authorization controls that meet strict government requirements.
In transit, you can choose to encrypt your traffic using IPsec and create custom policies around using encryption, Tom Keane states. The Microsoft Cloud Trust Protocol (CSP), a multi-party protocol that establishes authenticated communication with a cloud service provider, supports Azure Government security features. CSP enables organizations to use their trust relationships with third-party clouds while maintaining the same Microsoft identity and identity assurance benefits they enjoy in Azure Government.
The combination of CSP, IPsec, and end-to-end encryption provides all the layers necessary for mission-critical data security, whether on-premises or in the cloud. This can include sensitive data like personnel records, patient health records, and financial information. Beyond these basic requirements, Tom Keane finally adds, many specific security requirements can make moving data or processes into Azure Government challenging. For example, the US Office of Personnel Management allowed government-owned mobile devices to store and access data.